CSP: Wildcard Directive

[Josh C]

Hi there,

I'm trying to get ZAP to not find any faults with my CSP. I am receiving the "CSP: Wildcard Directive" alert for my site. Here is the 'Other Info' section from that alert:

The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
script-src, style-src, img-src, connect-src, frame-src, font-src, media-src, manifest-src, worker-src

Here is the evidence section for that alert:

default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src 'self' https: 'nonce-ME3tOsgUxxXaHDLmI7HFfQ=='; style-src 'self' https: 'nonce-ME3tOsgUxxXaHDLmI7HFfQ=='; connect-src 'self' https:; form-action 'self'; frame-ancestors 'none'; report-uri /content_security_policy/report; sandbox allow-scripts allow-same-origin allow-downloads allow-forms allow-modals allow-popups

Many of these directives it is complaining about are actually present in the CSP header. For example script-src is either 'self' or requiring a nonce, I don't understand ZAP's definition of 'overly broadly defined' in this case. Can somebody clarify what is meant and in this case what would be required for ZAP to approve of script-src?

FYI I am using ZAP 2.16.1 on OSX

[kingthorin+zap]

Per the provided sample for most thing you’re allowing any https source, including default which is the fallback for many directives 

[Josh C]

Thank you! Obviously I didn't fully understand the CSP header. 

Best,

Josh